Re: Trend Micro's Vista "0day exploit auction" claim

[Simple Nomad <thegnome () nmrc org>]

Uh, re-read my post. My point was that based upon somewhat recently
prices on XP exploits, $50k for a Vista exploit did not surprise me one
bit. Maybe not exactly the confirmation you or Roger were looking for,
but I've seen high 5 figure offers for XP exploits for a while, I've
heard of low 6 figure offers from multiple people I trust, and if I were
a bad guy selling 0day I would certainly expect to get a decent price
for Vista exploits -- particularly for non-client-side remote root.

What Trend Micro is reporting on (at least I think) is that there was an
individual or group that was offering up a 0day Vista exploit with a
price tag of $50k, which is currently being "confirmed and evaluated" by
a "trusted third party" (who will probably get a cut of the sale). Odds
are it will go for less. Joke about it if you like, but it is
practically 0bay out there. Some of the Russian boards are discussing
this, like "is it really worth it" and "could they get more". Based on
previous experience and the "talk on the street" (thanks to Google, and
the Beta Google translation from Russian to English) I'd say it is real.
IMO it is an attempt to drive up the price of future exploits. 

Now are Vista exploits actually going for $50k? No confirmation there,
but someone is currently offering one for that amount, and it is
possible they will get that much or even more.

-SN

On Wed, 2006-12-20 at 15:31 -0700, Drew Brown wrote:
> Uh... Roger isn't talking about XP. He's talking about Vista. Re-read
> his post.
>
> I thought he was talking about XP at first too.
>
> And I wondered if the thing was valid myself.
>
>
>
> Drew
>
> On 12/20/06, Simple Nomad <thegnome () nmrc org> wrote:
>         On Tue, 2006-12-19 at 21:55 -0500, Roger A. Grimes wrote:
>         > I can't verify it. But $50K for an exploit against an OS
>         that will not
>         > be widely deployed for many months seems to be excessive.
>         Who in their
>         > right mind would want to pay $50K to exploit 10 machines
>         before the
>         > exploit is captured, sent to MS, and patched, all before the
>         general
>         > population really starts running it.
>         >
>         > It doesn't pass the commonsense test to me. A zero day on XP
>         Pro would 
>         > be oh, so much more valuable.
>         
>         XP exploits *are* more valuable. Considering XP exploits
>         already go for
>         as much as twice that, $50k actually seems reasonable, or if
>         not
>         reasonable, at least what the market will bear. I haven't seen
>         auction 
>         boards recently (in fact since fed crackdowns it is getting
>         harder to
>         get on some boards) and never saw Vista on there as it was
>         before
>         Vista's time, but I have seen large amounts. While up to 6
>         figures for a 
>         remote root XP exploit seems excessive, $50k for Vista does
>         not strike
>         me as outrageous, all things considered.
>         
>         Organized cybercrime, for lack of a better word, seems to be
>         fairly well
>         organized. An aggressive business person is willing to spend
>         money to 
>         make money, so having multiple 0days for future business
>         expansion would
>         only make sense, particularly in an area with so much
>         unlaundered cash
>         floating around. If the ecommerce sites start moving to Vista
>         and you 
>         have remote root on Vista, burning a 0day to hit a few dozen
>         major sites
>         and grab customer lists, CC #'s, etc is totally worth $50k.
>         
>         Another thing to bear in mind is that some of the value here
>         may lie in 
>         something besides actual money. For example someone might be
>         willing to
>         trade a run of CC #'s for a Firefox exploit, and if each
>         credit card
>         would normally fetch $200, your exploit might be worth 50
>         credit card 
>         numbers which have a street value of $10k. If you were real
>         good at
>         carding you could easily turn this into twice or three times
>         that.
>         Otherwise the exploit might only be worth a couple thousand in
>         actual
>         cash. 
>         
>         -SN
>